vsftpd: chroot_local_user causes GNU/TLS-error

Posted by akrosikam on Ask Ubuntu See other posts from Ask Ubuntu or by akrosikam
Published on 2013-02-14T15:11:31Z Indexed on 2013/06/29 22:28 UTC
Read the original article Hit count: 526

Filed under:
|

Distro: Ubuntu 12.04.2 Server 32-bit
Server client: vsftpd 2.3.5 (from default "main" repository)

Problem: Since upgrading from Ubuntu 10.04 to Ubuntu 12.04 (nothing changed on client-side), vsftp has refused to make chroot-jails with the "chroot_local_user" directive on FTP(e/i)S-connections.

Here's my vsftpd.conf:

anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
xferlog_std_format=YES
ftpd_banner=How are you gentlemen.
listen=YES

pam_service_name=vsftpd
userlist_enable=YES
userlist_deny=NO
tcp_wrappers=YES

connect_from_port_20=YES
ftp_data_port=20
listen_port=21

pasv_enable=YES
pasv_promiscuous=NO
pasv_min_port=4242
pasv_max_port=4252
pasv_addr_resolve=YES
pasv_address=your.domain.com

ssl_enable=YES
allow_anon_ssl=NO
force_local_logins_ssl=YES
force_local_data_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
rsa_cert_file=/home/maw/ssl_ftp_test/vsftpd.pem
rsa_private_key_file=/home/maw/ssl_ftp_test/vsftpd.pem

debug_ssl=YES
log_ftp_protocol=YES
ssl_ciphers=HIGH
chroot_local_user=NO

How to reproduce:

  1. Have a working SSL/TLS-secured vsftpd-configuration (I suggest similar to the one above) ready.
  2. Try to connect with an FTP user client and upload some files. With my setup, the above listed config works well at this point.
  3. Edit /etc/vsftpd.conf and set chroot_local_user= to YES. Make sure that chroot_list_enable= and/or chroot_list_file= are not set. Comment them out if they are. Save and exit.
  4. Run sudo restart vsftpd (or sudo service vsftpd restart if you like) in a terminal.
  5. Try to connect with an FTP user client. You should see a message more or less like this: GnuTLS error -15: An unexpected TLS packet was received.

This is an issue for me, as I do not want FTP-sessions to be able to list files outside the user's home folder.

I have checked with several client-side apps, and I get the same results with every one of them. Filezilla is not so good regarding cipher methods nowadays, but as I am able to make an FTP(e)s-connection over TLS (as long as chroot'ing is disabled and ssl_ciphers is set to HIGH) I have a feeling ciphers are not the issue this time, and that I won't find the answer by tweaking configs on the client side.

My vsftpd.log stays empty, even though debug_ssl and log_ftp_protocol are enabled, so no info there either.

© Ask Ubuntu or respective owner

Related posts about chroot

Related posts about vsftpd